Deep Researcher
Security checks across malware telemetry and agentic risk
Overview
This looks like a legitimate research helper, but its setup includes a broad command that can update all installed skills, not just its own dependencies.
Review the upstream skills before use, use dedicated Tavily and Perplexity API keys where possible, and avoid entering confidential research topics unless those providers are acceptable. Do not run `clawhub update --all` unless you intentionally want every installed skill updated; install or update only the named dependencies instead.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
61/61 vendors flagged this skill as clean.